diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2017-01-13 12:25:26 +1000 |
|---|---|---|
| committer | Fraser Tweedale <ftweedal@redhat.com> | 2017-02-10 10:36:06 +1000 |
| commit | 76266bbf9b48f0ff01e7bfc9cd114c7ced460256 (patch) | |
| tree | 7dddc41b1984c5481b4b1aca47d68faa7ccad964 /base/server/cms/src/com | |
| parent | 31dfbb569756e8c28500b597ac4486f780761c4c (diff) | |
| download | pki-76266bbf9b48f0ff01e7bfc9cd114c7ced460256.tar.gz pki-76266bbf9b48f0ff01e7bfc9cd114c7ced460256.tar.xz pki-76266bbf9b48f0ff01e7bfc9cd114c7ced460256.zip | |
Allow DirAclAuthz to be configured to read alternative entry
Add the `searchBase' parameter for DirAclAuthz instances. If
specified, it prepends the searchBase to the baseDN. This allows
reusing an existing LDAP connection config (e.g. "internaldb")
whilst changing where the instances loads the ACLs from.
Part of: https://fedorahosted.org/pki/ticket/1359
Fixes: https://fedorahosted.org/pki/ticket/2525
Diffstat (limited to 'base/server/cms/src/com')
| -rw-r--r-- | base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java index bcb81f3d0..3e2a1b36f 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java +++ b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java @@ -53,11 +53,20 @@ public class DirAclAuthz extends AAclAuthz // members protected static final String PROP_BASEDN = "basedn"; + protected static final String PROP_SEARCHBASE = "searchBase"; private ILdapConnFactory mLdapConnFactory = null; private String mBaseDN = null; private static boolean needsFlush = false; + /** + * If configured, this is an LDAP RDN sequence to be + * prepended to the LDAP base DN, as the base of the + * search. If non-null, the search filter also changes + * from (cn=aclResources) to (objectclass=CertACLS). + */ + private String searchBase = null; + static { mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" + "LDAP host to connect to"); @@ -106,6 +115,8 @@ public class DirAclAuthz extends AAclAuthz throws EBaseException { super.init(name, implName, config); + searchBase = config.getString(PROP_SEARCHBASE, null); + // initialize LDAP connection factory IConfigStore ldapConfig = config.getSubStore("ldap"); @@ -134,11 +145,20 @@ public class DirAclAuthz extends AAclAuthz // into memory LDAPConnection conn = null; - CMS.debug("DirAclAuthz: about to ldap search aclResources"); + String basedn = mBaseDN; + String filter = "cn=aclResources"; + if (searchBase != null) { + basedn = String.join(",", searchBase, basedn); + filter = "objectclass=CertACLs"; + } + + CMS.debug( + "DirAclAuthz: about to ldap search " + + basedn + " (" + filter + ")"); try { conn = getConn(); - LDAPSearchResults res = conn.search(mBaseDN, LDAPv2.SCOPE_SUB, - "cn=aclResources", null, false); + LDAPSearchResults res = conn.search( + basedn, LDAPv2.SCOPE_SUB, filter, null, false); returnConn(conn); if (res.hasMoreElements()) { |